On October 14, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) has released a joint cybersecurity advisory. Its substance was regarding ongoing malicious cyberattacks against US water and wastewater facilities. CISA has published the advisory in conjunction with the Federal Bureau of Investigation (FBI) and National Security Agency (NSA).
The agency highlights the targeting of information technology and operational technology networks and systems at water and wastewater facilities in the advisory. The advisory spotlights an array of cyberattacks that occurred in the last few years. CISA claims that known as well as unknown cyber threat actors have participated in criminal activities. Some cyberattacks mentioned in the advisory are ones that no one else has reported previously.
Importantly, CISA warns that ongoing cyber activity threatens to block WWS (water and wastewater systems) facilities to provide clean and potable water to communities. Bad guys may attempt to do it by compromising system integrity through unauthorized access.
The Tools and Methods to Target WWS
Among several methods, the advisory lists spear phishing as one of the prevalent methods to access water systems. It helps nation-states and cybercriminals alike to deploy malicious payloads. We know that there is often integration between IT and OT systems. Therefore, CISA also claims that access to either one provides cyber attackers access to the other.
According to CISA, the exploitation of Internet-connected services, like Remote Desktop Protocol (RDP), is another tool to target water and wastewater facilities. Many water system operators have begun to use RDPs and similar tools for remote access following the outbreak of COVID-19. Thus, these tools expose them to outdated operating systems and software.
Why WWS Facilities and Systems Are Vulnerable?
There is a tendency among WWS facilities to allot resources for the physical infrastructure, like pipes, instead of IT or OT infrastructure. Moreover, many of these facilities lack the resources to employ high cybersecurity standards regularly. Consequently, these factors compel them to continue to use outdated and unsupported operating systems and software.
Likewise, it is also common among WWS systems to use outdated control system devices. Hence, these WWS networks open to remote executable flaws. A successful compromise of these devices paves the way for the loss of system control and sensitive data or denial of service.
Recent Cyberattacks in the Same Context
Concerning cyberattacks on water and wastewater facilities, the joint advisory listed down a series of cyberattacks occurring in the past few years. It includes the Ghost ransomware attack perpetrated against a faculty in California in 2021. The advisory reveals that the cyber attackers sent a ransomware message after spending a month inside the system.
The advisory also highlights the ZuCaNo ransomware attack that took place in July this year. Essentially, it caused damage to a wastewater facility in Maine. Another cyberattack that the advisory discussed is the Makop ransomware. It hit the Jersey-based WWS facility in September 2020. The attack led to the compromise of files within their system.
The joint advisory highlighted another cyberattack that occurred against a Kansas-based WWS facility in March 2019. It was an attempt to threaten the drinking water of a town in Kansas by a former employee. He used his user credentials to access the facility remotely. At the time of his resignation, the management had not revoked his credentials.
Recommended Proactive Actions
CISA recommends the following actions water and wastewater facilities can adopt to safeguard against malicious cyberattacks.
- Avoid clicking on suspicious links.
- Secure and monitor your RDP, if you must use it.
- Use strong passwords and multi-factor authentication (MFA).